Medium severity6.1NVD Advisory· Published Apr 13, 2017· Updated Jun 17, 2026
CVE-2017-7725
CVE-2017-7725
Description
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any domain name in the Host header; this is stored and allows for arbitrary domains to be set for certain links displayed to subsequent visitors, potentially an XSS vector.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | <= 8.1.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
9- hyp3rlinx.altervista.org/advisories/CONCRETE5-v8.1.0-HOST-HEADER-INJECTION.txtnvdExploitThird Party AdvisoryWEB
- hackerone.com/reports/148300nvdExploitThird Party AdvisoryVDB EntryWEB
- packetstormsecurity.com/files/142145/concrete5-8.1.0-Host-Header-Injection.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- www.exploit-db.com/exploits/41885/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/97649nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-2mvg-c6mg-3q63ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7725ghsaADVISORY
- web.archive.org/web/20210124030008/https://www.securityfocus.com/bid/97649ghsaWEB
- www.exploit-db.com/exploits/41885ghsaWEB
News mentions
0No linked articles in our index yet.